Tre

Target IP: 192.168.186.84


Scanning

1b0f2a534b5a9fd3ca7533ddeb7a4990.png

There are three TCP ports open on the target machine: SSH and HTTPs. There are two HTTP applications running on ports 80 and 8082. I will start enumeration with the HTTP applications on both ports.


Enumeration

Port 80: HTTP
7df73dd9ea1b83b853a8738226774060.png
The webpage above is displayed for the HTTP application on port 80. Doing a source-code review shows nothing interesting. Time to perform directory search using gobuster.

5e1e47745b87394b349b93b5828738be.png
Doing a directory search using the command gobuster dir -u http://192.168.186.84/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html,txt output the useful information above.

1dc9cf0fdcddef8f5d1b5bcbe9895a20.png
The /adminer.php page is interesting. It displays the webpage as shown above. Maybe when I have credentials, this application will come useful. The version of this application states 4.7.7 4.8.1.

a5b1e9a65590655dc91bc23d0b460579.png
There is another website with the directory /cms. Browsing through the source-code did not provide anything useful. However, doing a directory search might.

fcbdf0373d41709fcda50d187d432abc.png
The /info.php page contains useful information about the target machine. It contains the PHP version used by the host, hostname, kernel version, etc.

84d6a19a46952f6a1c1ba7d164f0f13f.png
The /mantisbt page contains a bug tracking application. But this application asks for the login details. Time to enumerate further. After enumerating other ports, I came back to enumerate this application again.

0698edba6a3049a53276101b51448666.png
When performing a directory search against /mantisbt using the command gobuster dir -u http://192.168.186.84/mantisbt/ -w /usr/share/wordlists/dirb/big.txt -x php,html,txt , I got interesting pages as shown above.

ff77b8543dd170388946d46b7ee1cae4.png
One of these pages is the /config. This directory contains the configuration files for this Mantis Bug Tracker application. I find two files the most interesting: a.txt and data.sql.

3a86a99dbe979ed1b0291e9a8313e81d.png
The SQL data dump contains the user administrator with the password root as shown above. However, spraying this against the /adminer.php and /mantisbt did not work. It looks like this account is blocked.


Exploitation

b9a0cd00d8d001851b1f411494cf4280.png
The mantisbt/config/a.txt file contains the hardcoded credentials mantisuser:password@123AS. And spraying this against the /adminer.php worked.

46eb12fb34f7eac7b206a2722be903d6.png
Now I have access to the SQL database for this application. Looks like I can perform SQL commands too! There is an interesting table called mantis_user_table inside the mantis database.

ba9a0770d379266a6cefae707c1e94c7.png
Using the SQL command SELECT * FROM mantis.mantis_user_table;, I obtained two rows. There is another user called tre with the password hash 64c4685f8da5c2225de7890c1bad0d7f. After trying to crack the password hash of tre, I had no luck. However, I find the realname column for tre interesting as it looks like a SSH login.

e6254144f639378abb606d35448057fd.png
Spraying the credentials tre:Tr3@123456A! against the different login pages did not work, except for the SSH port! Now I have a foothold on the machine as tre.


Privilege Escalation

95957d875ac53c18d8779e1b55b5cbf0.png
Running sudo -l as tre shows all users can execute the binary /sbin/shutdown.

5054a1cbce41f22678272a88cfda9b33.png
I transferred pspy64 to the target machine. After running it, I notice a binary called /usr/bin/check-system is run every second!

b523b6ff86592228596468cb91b66ad5.png
And I have write permission over this binary! I was unable to edit this file using vim, so I used nano. I gave myself higher privileges for the nano editor.

20a5a633816ed956381ed7612ffe381e.png
After turning off the machine, and connecting to it again using SSH, I notice I have the SUID bit set for the nano editor.

4aeebdb3ad83ee1b0eca0b869f0d3890.png
I edited the /etc/sudoers file to give myself root privileges with sudo.

757772d903f1241ee1051563cbe99b4b.png
Now I just have to spawn a bash as root to gain a root shell! And running sudo -l shows I have the privileges I changed inside the /etc/sudoers! I spawned a new root shell using sudo bash. GG!


Flags

f9c7b524625b632f25260359ed2d17e6.png
The local.txt flag once I gained a foothold on the target machine as tre using SSH.

85ee8b360d8e53ed35d47e101cfcf1ba.png
The proof.txt flag once I exploited the check-system binary with file permission weakness.